[TOC]
1劫拢、strongswan+vpp簡介
strongswan與vpp如何結(jié)合
我們使用的是VPP 20.01 版本 + strongswan 5.8.3版本編譯。
目前strongSwan+vpp的方案主要是使用strongswan的插件機(jī)制翁脆,替換strongswan的兩個(gè)默認(rèn)插件
- 1、socket-default 該插件是IKE報(bào)文的socket backend鼻种。
- 2反番、kernel-netlink 該插件是IPSEC 數(shù)通backend
將默認(rèn)的socket-default連接替換為VPP的punt socket方式,punt socket會(huì)將ike協(xié)議報(bào)文通過VPP上送到strongswan中叉钥,strongswan也會(huì)將回應(yīng)的報(bào)文通過punt socket傳輸回vpp罢缸,IKE的協(xié)商層面是通過strongswan完成。
ike協(xié)商完成之后投队,strongswan通過vpp的C語言 API向VPP下發(fā)IPSEC的配置枫疆,sa spd 路由等等,下發(fā)完成配置之后敷鸦,VPP的IPSEC隧道就完成了建立息楔。
用strongswan替換VPP自身的IKE功能,是因?yàn)閂PP本身的IKE只支持IKE V2而且功能的豐富度不如strongswan完善扒披。
已有的開源項(xiàng)目簡介
作者matfabia
https://github.com/matfabia/strongswan/tree/vpp
該項(xiàng)目是strongswan+vpp這個(gè)方案的最初的項(xiàng)目值依,確定了strongswan與vpp結(jié)合的大致方向,完成度也比較高碟案,后續(xù)的其他開源項(xiàng)目都是在此基礎(chǔ)上修修補(bǔ)補(bǔ)愿险。
該項(xiàng)目在上傳最初代碼后,就停止更新了价说,代碼基于的VPP版本應(yīng)該是v18.01左右
作者mestery
https://github.com/mestery/strongswan
該項(xiàng)目是基于上面原始項(xiàng)目進(jìn)行修改辆亏,支持VPP 的1810版本风秤,進(jìn)行了小幅度的API適配整體和上面項(xiàng)目相差不大。隨后該項(xiàng)目也停止更新了扮叨,但是該項(xiàng)目中有一個(gè)pull request比較關(guān)鍵缤弦,在4500 UDP端口上支持了NAT-T IKE,增加了一些VPP新支持的加密算法例如GCM的支持彻磁。但是該pull request并沒有合入到該項(xiàng)目甸鸟,因?yàn)樽髡呖赡芤呀?jīng)忘記這個(gè)項(xiàng)目了。
作者rayshi-10
https://github.com/rayshi-10/Strongswan-Vpp2001
該項(xiàng)目是基于第二個(gè)項(xiàng)目做的兵迅,而且把第二個(gè)項(xiàng)目中pull request合入了進(jìn)來,支持了VPP后來加入的更多加密和認(rèn)證算法薪贫,而且支持NAT-T IKE恍箭。然后支持了VPP v20.01版本。這個(gè)版本的代碼修改量還是比較大的瞧省。因?yàn)閂PP v20.01版本API和數(shù)據(jù)結(jié)構(gòu)的改動(dòng)是相當(dāng)大的扯夭,大部分原有的IPSEC配置API都發(fā)生的變化,進(jìn)行了多次重構(gòu)鞍匾,但是而且設(shè)置還刪除了一些配置屬性交洗,導(dǎo)致原有的流程可以需要改動(dòng)比較大才能適配。
v20.01的VPP ipv4 ipv6的配置需要顯示下發(fā)兩條橡淑,而以前的版本是使用any屬性標(biāo)志下發(fā)一條就可以了构拳。這部分的改動(dòng)需要特別關(guān)注下,該項(xiàng)目目測這部分可能會(huì)有BUG梁棠≈蒙可以特別關(guān)注下該項(xiàng)目的manage_policy函數(shù),例如下面的部分符糊,is_anyaddr的情況只下發(fā)了一條policy凫海。可能會(huì)出現(xiàn)問題
if (src->is_anyaddr(src) && dst->is_anyaddr(dst))
{
memset(mp->entry.local_address_stop.un.ip6, 0xFF, 16);
memset(mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
}
該項(xiàng)目基于的strongswan版本是5.6.x版本的男娄,不是最新的release行贪。
2、基于rayshi-10的代碼和strongswan最新release5.8.3進(jìn)行修改
下載源碼
首先下載strongswan主線代碼模闲,切換到5.8.3分支
git clone https://github.com/strongswan/strongswan.git
git checkout 5.8.3
然后下載rayshi-10 strongswan + vpp 20.01代碼
git clone https://github.com/rayshi-10/Strongswan-Vpp2001.git
替換文件
然后將該項(xiàng)目的
src/libcharon/plugins/kernel_vpp/
src/libcharon/plugins/socket_vpp/
兩個(gè)目錄替換到strongswan 5.8.3對(duì)應(yīng)目錄下建瘫,然后將該項(xiàng)目configure.ac目錄下kernel-vpp socket-vpp相關(guān)的內(nèi)存,添加到strongswan 5.8.3對(duì)應(yīng)的文件里尸折。
注暖混,該項(xiàng)目的configure.ac里面缺少下面兩條配置
ADD_PLUGIN([kernel-vpp], [c charon])
ADD_PLUGIN([socket-vpp], [c charon])
需要將這兩條配置自行添加到configure.ac中的合適位置,
例如向下面的方式添加
ADD_PLUGIN([kernel-iph], [c charon])
ADD_PLUGIN([kernel-vpp], [c charon])
ADD_PLUGIN([kernel-pfkey], [c charon starter nm cmd])
ADD_PLUGIN([kernel-pfroute], [c charon starter nm cmd])
ADD_PLUGIN([kernel-netlink], [c charon starter nm cmd])
ADD_PLUGIN([resolve], [c charon cmd])
ADD_PLUGIN([save-keys], [c])
ADD_PLUGIN([socket-default], [c charon nm cmd])
ADD_PLUGIN([socket-dynamic], [c charon cmd])
ADD_PLUGIN([socket-win], [c charon])
ADD_PLUGIN([socket-vpp], [c charon])
ADD_PLUGIN([bypass-lan], [c charon nm cmd])
注意dnssec_status_t的修改
dnssec_status_t枚舉變量在strongswan vpp中進(jìn)行了重命名翁授,將這個(gè)枚舉中的變量全都加了DNSS前綴拣播,可能是因?yàn)檫@個(gè)枚舉里面的變量和VPP里面的內(nèi)容重名了晾咪,我們?cè)谔鎿Q時(shí),如果編譯失敗了贮配,可能是忘記重命名該名稱導(dǎo)致
重命名后的效果如下
enum dnssec_status_t {
/**
* The validating resolver has a trust anchor, has a chain of
* trust, and is able to verify all the signatures in the response.
* [RFC4033]
*/
DNSS_SECURE,
/**
* The validating resolver has a trust anchor, a chain of
* trust, and, at some delegation point, signed proof of the
* non-existence of a DS record. This indicates that subsequent
* branches in the tree are provably insecure. A validating resolver
* may have a local policy to mark parts of the domain space as
* insecure. [RFC4033]
*/
DNSS_INSECURE,
/**
* The validating resolver has a trust anchor and a secure
* delegation indicating that subsidiary data is signed, but the
* response fails to validate for some reason: missing signatures,
* expired signatures, signatures with unsupported algorithms, data
* missing that the relevant NSEC RR says should be present, and so
* forth. [RFC4033]
*/
DNSS_BOGUS,
/**
* There is no trust anchor that would indicate that a
* specific portion of the tree is secure. This is the default
* operation mode. [RFC4033]
*/
DNSS_INDETERMINATE,
};
修改PUNT read socket path
在src/libcharon/plugins/socket_vpp/socket_vpp_socket.c中該項(xiàng)目中vpp的punt read path是/tmp目錄谍倦,該地址可以自行設(shè)定,例如我將該地址進(jìn)行了下面的修改泪勒,和VPP其他unix socket放置在同一目錄
#define READ_PATH "/var/run/vpp/ike-punt-read.sock"
3昼蛀、編譯項(xiàng)目
下載依賴
我的系統(tǒng)是Centos7,使用下面的命令下載編譯中的依賴項(xiàng)
yum install gperf
yum install python3
yum install gmp
yum install gmp-devel
編譯vpp
git clone https://github.com/FDio/vpp.git
git checkout v20.01
make install-dep
make build-releasels
將編譯好的VPP安裝到系統(tǒng)中
cp build-root/install-vpp-native/vpp/include/* /usr/include/ -r
cp build-root/install-vpp-native/vpp/lib/* /lib64/ -r
cp build-root/install-vpp-native/vpp/lib/vpp_plugins /lib/ -r
cp build-root/install-vpp-native/vpp/bin/vpp /usr/bin/
cp build-root/install-vpp-native/vpp/bin/vppctl /usr/bin/
編譯strongswan
預(yù)處理
最新版本的strongswan在centos下可能編譯不過圆存,pkgconfig版本低叼旋,缺少PKG_CHECK_VAR
需要在configure.ac前面添加下面的定義
# backwards compat with older pkg-config
# - pull in AC_DEFUN from pkg.m4
m4_ifndef([PKG_CHECK_VAR], [
# PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
# [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
# -------------------------------------------
# Retrieves the value of the pkg-config variable for the given module.
AC_DEFUN([PKG_CHECK_VAR],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
_PKG_CONFIG([$1], [variable="][$3]["], [$2])
AS_VAR_COPY([$1], [pkg_cv_][$1])
AS_VAR_IF([$1], [""], [$5], [$4])dnl
])# PKG_CHECK_VAR
])
執(zhí)行編譯
./autogen.sh
./configure --enable-socket-vpp --enable-kernel-vpp --enable-libipsec --enable-openssl
make -j 8
將編譯好的strongswan安裝到系統(tǒng)中
make install
安裝好的默認(rèn)目錄是/usr/local/,主要文件和目錄如下所示
/usr/local/bin/pki
/usr/local/sbin/ipsec
/usr/local/sbin/swanctl
/usr/local/sbin/etc/
4沦辙、運(yùn)行測試
測試拓?fù)?/h2>
目前我測試了strongswan官方文檔中拓?fù)涞腞oadwarrior Case和Site-to-Site Case夫植,這兩種拓?fù)涫且苿?dòng)客戶端場景和網(wǎng)關(guān)-網(wǎng)關(guān)的部署場景。 這里要注意油讯,strongswan的配置方式可能發(fā)生了比較大的變化详民,之前是通過配置ipsec目錄下的內(nèi)容去實(shí)現(xiàn)的,而最新的版本一般是用過配置swanctl相關(guān)的內(nèi)容去完成陌兑。
官方項(xiàng)目中的README里面的內(nèi)容是有些錯(cuò)誤的沈跨,不要去看那部分的內(nèi)容,例如Roadwarrior Case中網(wǎng)關(guān)和客戶端的配置中都寫的是:
local_ts = 10.1.0.0/16
而顯然配置應(yīng)該是服務(wù)器是local_ts = 10.1.0.0/16而客戶端應(yīng)該是remote_ts = 10.1.0.0/16
這里應(yīng)該去參考https://www.strongswan.org/testresults.html該頁面中swanctl的部分兔综,這個(gè)頁面是測試?yán)蛨?zhí)行的情況饿凛,是隨著版本更新的,而且每發(fā)布一個(gè)版本會(huì)自動(dòng)跑一遍這些部署場景软驰,這里面有非常詳細(xì)的每個(gè)階段swanctl的配置和狀態(tài)笤喳,學(xué)習(xí)新的部署場景和配置應(yīng)該從這個(gè)頁面去學(xué)習(xí)。
搭建方式
我是通過兩個(gè)qemu-kvm的虛擬機(jī)跑了兩個(gè)vpp + strongswan的VM環(huán)境碌宴,兩者的接口使用brctl通過內(nèi)核橋連通杀狡。
strongswan+vpp的啟動(dòng)順序,需要首先啟動(dòng)VPP贰镣,然后配置好接口之后呜象,啟動(dòng)strongswan,然后啟動(dòng)協(xié)商隧道碑隆。
vpp啟動(dòng)配置
startup.conf
statseg
{
default
per-node-counters on
}
socksvr
{
socket-name /var/run/vpp/vpp-api.sock
}
unix
{
cli-listen /run/vpp/cli.sock
log /tmp/vpe.log
nodaemon
coredump-size 1M
}
punt
{
socket /var/run/vpp/ike-punt-write.sock
}
api-trace { on }
heapsize 4G
buffers
{
buffers-per-numa 40000
}
plugins
{
plugin dpdk_plugin.so
{
enable
}
}
cpu
{
# Dynamic Create Option
main-core 0
corelist-workers 1-7
}
dpdk
{
log-level debug
huge-dir /dev/hugepages
no-tx-checksum-offload
dev 0000:00:06.0 { name G1/1 }
dev 0000:00:07.0 { name G1/2 }
}
上面的配置CPU部分需要根據(jù)自己的環(huán)境編寫恭陡,綁定工作線程和主線程到某些CPU核。dpdk部分的接口PCI號(hào)上煤,也需要根據(jù)實(shí)際的情況填寫休玩,上面的配置ipsec加解密使用了openssl的能力,沒有使用dpdk的加解密套件,使用dpdk加解密套件請(qǐng)看最后一節(jié)拴疤。
上面配置中比較重要的一點(diǎn)是punt這一部分永部,該配置必須填寫。strongswan使用到了兩個(gè)punt socket呐矾,其中一個(gè)是VPP startup.conf中指定苔埋,是write socket,strongswan寫報(bào)文使用該unix socket蜒犯。還有一個(gè)是punt讀接口组橄,該unix socket在strongswan的socket-vpp插件中啟動(dòng)時(shí),動(dòng)態(tài)向vpp注冊(cè)罚随,接口的路徑在代碼中寫死玉工。上面已經(jīng)說過這個(gè)問題了。
vpp運(yùn)行配置
VPP成功啟動(dòng)后淘菩,需要配置接口的IP信息遵班,這一部分信息就根據(jù)上面提到的測試?yán)撁嬷械耐負(fù)鋪砼渲镁涂梢浴?br>
下面是我的環(huán)境中site-to-site中配置CLI命令
moon的配置
vppctl set int state G1/1 up
vppctl set int state G1/2 up
vppctl set int state local0 up
vppctl set int ip addr G1/1 192.168.0.1/24
vppctl set int ip addr G1/2 10.1.0.1/16
sun的配置
vppctl set int state G1/1 up
vppctl set int state G1/2 up
vppctl set int state local0 up
vppctl set int ip addr G1/1 192.168.0.2/24
vppctl set int ip addr G1/2 10.2.0.1/16
制作證書
使用證書認(rèn)證的話,就需要自己制作證書了瞄勾,這一部分是比較復(fù)雜的,因?yàn)閟trongswan的證書驗(yàn)證比較嚴(yán)格弥激,而且根據(jù)網(wǎng)上教程制作出來的證書大多都是認(rèn)證不通過的进陡。我這里編寫了一個(gè)車腳本去制作這兩個(gè)場景的證書。使用了strongswan的pki這個(gè)工具微服,在制作證書之前趾疚,需要先下載一個(gè)程序,如果不下載該程序的話以蕴,可能會(huì)生成密鑰非常慢糙麦,長達(dá)幾十分鐘。
yum install haveged
systemctl start haveged
證書的制作要點(diǎn)就是配置中的id和證書中的CN以及SAN選項(xiàng)要一致
Roadwarrior Case
10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x |
moon-net moon carol
該腳本是跑在Roadwarrior Case中的移動(dòng)客戶端carol上面的丛肮,在此場景中我們carol的管理IP是192.168.199.102赡磅,moon的管理IP是192.168.199.101,證書生成之后自動(dòng)拷貝的宝与,也可以手動(dòng)拷貝到對(duì)應(yīng)的目錄
#!/bin/bash
INSTALLDIR="/usr/local"
CONFIGPATH="$INSTALLDIR/etc"
SERVER_HOST=moon.strongswan.org
SERVER_IP=192.168.0.1
CLIENT_HOST=carol@strongswan.org
CLIENT_IP=192.168.0.2
# remove old files
rm -rf cert > /dev/null 2>&1
mkdir cert && cd cert
# create CA certificate
echo -e "\033[32mCreate CA certificate...\033[0m"
pki --gen --outform pem > ca.key.pem
pki --self --in ca.key.pem --dn "C=CN, O=StrongSwan, CN=StrongSwan CA" --ca --outform pem > ca.cert.pem
# create server certificate
echo -e "\033[32mCreate server certificate...\033[0m"
pki --gen --outform pem > server.key.pem
pki --pub --in server.key.pem | ipsec pki --issue --cacert ca.cert.pem \
--cakey ca.key.pem --dn "C=CN, O=StrongSwan, CN=$SERVER_HOST" \
--san "$SERVER_HOST" --san="$SERVER_IP" --flag serverAuth --flag ikeIntermediate \
--outform pem > server.cert.pem
# create client certificate
echo -e "\033[32mCreate client certificate...\033[0m"
pki --gen --outform pem > client.key.pem
pki --pub --in client.key.pem | ipsec pki --issue --cacert ca.cert.pem \
--cakey ca.key.pem --dn "C=CN, O=StrongSwan, CN=carol@strongswan.org" \
--san "$CLIENT_HOST" --san="CLIENT_IP" \
--outform pem > client.cert.pem
echo -e "\033[32mInstall certificate...\033[0m"
cp ca.cert.pem $CONFIGPATH/swanctl/x509ca/strongswanCert.pem
cp client.cert.pem $CONFIGPATH/swanctl/x509/carolCert.pem
cp client.key.pem $CONFIGPATH/swanctl/private/carolKey.pem
sshpass -pnsfocus scp ca.cert.pem 192.168.199.101:$CONFIGPATH/swanctl/x509ca/strongswanCert.pem
sshpass -pnsfocus scp server.cert.pem 192.168.199.101:$CONFIGPATH/swanctl/x509/moonCert.pem
sshpass -pnsfocus scp server.key.pem 192.168.199.101:$CONFIGPATH/swanctl/private/moonKey.pem
site-to-site case
10.1.0.0/16 -- | 192.168.0.1 | === | 192.168.0.2 | -- 10.2.0.0/16
moon-net moon sun sun-net
#!/bin/bash
INSTALLDIR="/usr/local"
CONFIGPATH="$INSTALLDIR/etc"
SERVER_HOST=moon.strongswan.org
SERVER_IP=192.168.0.1
CLIENT_HOST=sun.strongswan.org
CLIENT_IP=192.168.0.2
# remove old files
rm -rf cert > /dev/null 2>&1
mkdir cert && cd cert
# create CA certificate
echo -e "\033[32mCreate CA certificate...\033[0m"
pki --gen --outform pem > ca.key.pem
pki --self --in ca.key.pem --dn "C=CN, O=StrongSwan, CN=StrongSwan CA" --ca --outform pem > ca.cert.pem
# create server certificate
echo -e "\033[32mCreate server certificate...\033[0m"
pki --gen --outform pem > server.key.pem
pki --pub --in server.key.pem | ipsec pki --issue --cacert ca.cert.pem \
--cakey ca.key.pem --dn "C=CN, O=StrongSwan, CN=$SERVER_HOST" \
--san "$SERVER_HOST" --san="$SERVER_IP" --flag serverAuth --flag ikeIntermediate \
--outform pem > server.cert.pem
# create client certificate
echo -e "\033[32mCreate client certificate...\033[0m"
pki --gen --outform pem > client.key.pem
pki --pub --in client.key.pem | ipsec pki --issue --cacert ca.cert.pem \
--cakey ca.key.pem --dn "C=CN, O=StrongSwan, CN=$CLIENT_HOST" \
--san "$CLIENT_HOST" --san="CLIENT_IP" \
--outform pem > client.cert.pem
echo -e "\033[32mInstall certificate...\033[0m"
cp ca.cert.pem $CONFIGPATH/swanctl/x509ca/strongswanCert.pem
cp client.cert.pem $CONFIGPATH/swanctl/x509/carolCert.pem
cp client.key.pem $CONFIGPATH/swanctl/private/carolKey.pem
sshpass -pnsfocus scp ca.cert.pem 192.168.199.101:$CONFIGPATH/swanctl/x509ca/strongswanCert.pem
sshpass -pnsfocus scp server.cert.pem 192.168.199.101:$CONFIGPATH/swanctl/x509/moonCert.pem
sshpass -pnsfocus scp server.key.pem 192.168.199.101:$CONFIGPATH/swanctl/private/moonKey.pem
配置strongswan
開啟vpp插件
在進(jìn)行配置之前焚廊,需要先啟用我們的kernel-vpp和socket-vpp插件。首先我們將
/usr/local/etc/strongswan.d/charon/kernel-netlink.conf
/usr/local/etc/strongswan.d/charon/socket-default.conf
兩個(gè)默認(rèn)插件的內(nèi)容修改一下將默認(rèn)加載變成不加載
load = no
然后將我們新增的兩個(gè)插件加載狀態(tài)變?yōu)閥es
/usr/local/etc/strongswan.d/charon/socket-vpp.conf
/usr/local/etc/strongswan.d/charon/kernel-vpp.conf
修改為load = yes
strongswan新版本习劫,我們配置的內(nèi)容主要是/usr/local/etc/swanctl/swanctl.conf文件咆瘟,具體的場景和配置可以參考上面給出的官方測試?yán)呐渲谩?/p>
Roadwarrior Case配置
10.1.0.0/16 -- | 192.168.0.1 | === | x.x.x.x |
moon-net moon carol
網(wǎng)關(guān) moon端配置
證書位置:
/usr/local/etc/swanctl/x509ca/strongswanCert.pem
/usr/local/etc/swanctl/x509/moonCert.pem
/usr/local/etc/swanctl/private/moonKey.pem
swanctl配置
/usr/local/etc/swanctl/swanctl.conf:
connections {
rw {
local {
auth = pubkey
certs = moonCert.pem
id = moon.strongswan.org
}
remote {
auth = pubkey
}
children {
net-net {
local_ts = 10.1.0.0/16
}
}
version = 2
proposals = aes128-sha256-curve25519
}
}
vpp 運(yùn)行配置:
vppctl set int state G1/1 up
vppctl set int state G1/2 up
vppctl set int state local0 up
vppctl set int ip addr G1/1 192.168.0.2/24
vppctl set int ip addr G1/2 10.2.0.1/16
移動(dòng)端carol配置
證書位置:
/usr/local/etc/swanctl/x509ca/strongswanCert.pem
/usr/local/etc/swanctl/x509/carolCert.pem
/usr/local/etc/swanctl/private/carolKey.pem
swanctl配置:
/usr/local/etc/swanctl/swanctl.conf:
connections {
home {
remote_addrs = moon.strongswan.org
local_addrs = 192.168.0.2
local {
auth = pubkey
certs = carolCert.pem
id = carol@strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
start_action = start
}
}
version = 2
proposals = aes128-sha256-curve25519
}
}
vpp運(yùn)行配置:
vppctl set int state G1/1 up
vppctl set int state G1/2 up
vppctl set int state local0 up
vppctl set int ip addr G1/1 192.168.0.2/24
site-to-site配置
10.1.0.0/16 -- | 192.168.0.1 | === | 192.168.0.2 | -- 10.2.0.0/16
moon-net moon sun sun-net
site1 moon配置
證書位置
/usr/local/etc/swanctl/x509ca/strongswanCert.pem
/usr/local/etc/swanctl/x509/moonCert.pem
/usr/local/etc/swanctl/private/moonKey.pem
swanctl配置
/usr/local/etc/swanctl/swanctl.conf:
connections {
gw-gw {
local_addrs = 192.168.0.1
remote_addrs = 192.168.0.2
local {
auth = pubkey
certs = moonCert.pem
id = moon.strongswan.org
}
remote {
auth = pubkey
id = sun.strongswan.org
}
children {
net-net {
local_ts = 10.1.0.0/16
remote_ts = 10.2.0.0/16
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
esp_proposals = aes128gcm128-sha256
}
}
version = 2
mobike = no
reauth_time = 10800
proposals = aes128-sha256-x25519
}
}
vpp配置
vppctl set int state G1/1 up
vppctl set int state G1/2 up
vppctl set int state local0 up
vppctl set int ip addr G1/1 192.168.0.1/24
vppctl set int ip addr G1/2 10.1.0.1/16
site2 sun配置
證書位置:
/usr/local/etc/swanctl/x509ca/strongswanCert.pem
/usr/local/etc/swanctl/x509/carolCert.pem
/usr/local/etc/swanctl/private/carolKey.pem
swanctl配置
/usr/local/etc/swanctl/swanctl.conf:
connections {
gw-gw {
local_addrs = 192.168.0.2
remote_addrs = 192.168.0.1
local {
auth = pubkey
certs = carolCert.pem
id = sun.strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
net-net {
local_ts = 10.2.0.0/16
remote_ts = 10.1.0.0/16
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
esp_proposals = aes128gcm128-sha256
}
}
version = 2
mobike = no
reauth_time = 10800
proposals = aes128-sha256-x25519
}
}
vpp配置
vppctl set int state G1/1 up
vppctl set int state G1/2 up
vppctl set int state local0 up
vppctl set int ip addr G1/1 192.168.0.2/24
vppctl set int ip addr G1/2 10.2.0.1/16
開始運(yùn)行
首先啟動(dòng)VPP,配置好strongswan的配置和VPP的配置诽里,然后兩端都使用systemctl start strongswan-starter.service啟動(dòng)strongswan
可以使用swanctl --stats命令查看一下vpp的插件加載是否正確袒餐,在/var/log/messages文件中查看日志是否有報(bào)錯(cuò)等等。
然后查看一下VPP端,strongswan是否已經(jīng)建立好了連接灸眼,如果建立成功之后卧檐,vpp中應(yīng)該會(huì)有如下的顯示
[root@localhost home]# vppctl show api clients
Shared memory clients
Name PID Queue Length Queue VA Health
strongswan 14102 0 0x00000001301ce9c0 OK
[root@localhost home]# vppctl show udp punt
IPV4 UDP ports punt : 500, 4500
IPV6 UDP ports punt : 500, 4500
在兩端執(zhí)行swanctl --load-all加載所有的配置和證書。
在協(xié)商的發(fā)起端執(zhí)行初始化命令幢炸,這個(gè)net-net是根據(jù)當(dāng)前的swanctl.conf配置文件中children字段里面的內(nèi)容填寫的泄隔。
swanctl --initiate --child net-net
或者
swanctl --initiate --child home
查看日志/var/log/messages是否成功,如果有類似如下的顯示宛徊,則證明IKE協(xié)商成功了
Apr 8 18:05:06 localhost ipsec: 08[CFG] initiating 'home'
Apr 8 18:05:06 localhost ipsec: 08[IKE] initiating IKE_SA home[1] to 192.168.0.1
Apr 8 18:05:06 localhost ipsec: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 8 18:05:06 localhost ipsec: 08[NET] sending packet: from 192.168.0.2[500] to 192.168.0.1[500] (240 bytes)
Apr 8 18:05:06 localhost ipsec: 05[NET] sending vpp packet: from 192.168.0.2[500] to 192.168.0.1[500] by sock 8
Apr 8 18:05:06 localhost charon: 16[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Apr 8 18:05:06 localhost ipsec: 10[NET] received packet: from 192.168.0.1[500] to 192.168.0.2[500] (273 bytes)
Apr 8 18:05:06 localhost ipsec: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Apr 8 18:05:06 localhost ipsec: 10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
Apr 8 18:05:06 localhost ipsec: 10[IKE] received cert request for "C=CN, O=StrongSwan, CN=StrongSwan CA"
Apr 8 18:05:06 localhost ipsec: 10[IKE] sending cert request for "C=CN, O=StrongSwan, CN=StrongSwan CA"
Apr 8 18:05:06 localhost ipsec: 10[IKE] authentication of 'carol@strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Apr 8 18:05:06 localhost ipsec: 10[IKE] sending end entity cert "C=CN, O=StrongSwan, CN=carol@strongswan.org"
Apr 8 18:05:06 localhost ipsec: 10[IKE] establishing CHILD_SA home{1}
Apr 8 18:05:06 localhost ipsec: 10[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr 8 18:05:06 localhost ipsec: 10[ENC] splitting IKE message (1488 bytes) into 2 fragments
Apr 8 18:05:06 localhost ipsec: 10[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
Apr 8 18:05:06 localhost ipsec: 10[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
Apr 8 18:05:06 localhost ipsec: 10[NET] sending packet: from 192.168.0.2[500] to 192.168.0.1[4500] (1252 bytes)
Apr 8 18:05:06 localhost ipsec: 10[NET] sending packet: from 192.168.0.2[500] to 192.168.0.1[4500] (308 bytes)
Apr 8 18:05:06 localhost ipsec: 05[NET] sending vpp packet: from 192.168.0.2[500] to 192.168.0.1[4500] by sock 8
Apr 8 18:05:06 localhost ipsec: 05[NET] sending vpp packet: from 192.168.0.2[500] to 192.168.0.1[4500] by sock 8
Apr 8 18:05:06 localhost ipsec: 11[NET] received packet: from 192.168.0.1[4500] to 192.168.0.2[500] (1252 bytes)
Apr 8 18:05:06 localhost ipsec: 11[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Apr 8 18:05:06 localhost ipsec: 11[ENC] received fragment #1 of 2, waiting for complete IKE message
Apr 8 18:05:06 localhost ipsec: 16[NET] received packet: from 192.168.0.1[4500] to 192.168.0.2[500] (164 bytes)
Apr 8 18:05:06 localhost ipsec: 16[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Apr 8 18:05:06 localhost ipsec: 16[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1344 bytes)
Apr 8 18:05:06 localhost ipsec: 16[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Apr 8 18:05:06 localhost ipsec: 16[IKE] received end entity cert "C=CN, O=StrongSwan, CN="
Apr 8 18:05:06 localhost ipsec: 16[CFG] using certificate "C=CN, O=StrongSwan, CN="
Apr 8 18:05:06 localhost ipsec: 16[CFG] using trusted ca certificate "C=CN, O=StrongSwan, CN=StrongSwan CA"
Apr 8 18:05:06 localhost charon: 16[IKE] received end entity cert "C=CN, O=StrongSwan, CN="
Apr 8 18:05:06 localhost ipsec: 16[CFG] checking certificate status of "C=CN, O=StrongSwan, CN="
Apr 8 18:05:06 localhost ipsec: 16[CFG] certificate status is not available
Apr 8 18:05:06 localhost charon: 16[CFG] using certificate "C=CN, O=StrongSwan, CN="
Apr 8 18:05:06 localhost charon: 16[CFG] using trusted ca certificate "C=CN, O=StrongSwan, CN=StrongSwan CA"
Apr 8 18:05:06 localhost charon: 16[CFG] checking certificate status of "C=CN, O=StrongSwan, CN="
Apr 8 18:05:06 localhost charon: 16[CFG] certificate status is not available
Apr 8 18:05:06 localhost charon: 16[CFG] reached self-signed root ca with a path length of 0
Apr 8 18:05:06 localhost charon: 16[IKE] authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
Apr 8 18:05:06 localhost charon: 16[IKE] IKE_SA home[1] established between 192.168.0.2[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]
Apr 8 18:05:06 localhost charon: 16[IKE] scheduling rekeying in 14049s
Apr 8 18:05:06 localhost charon: 16[IKE] maximum IKE_SA lifetime 15489s
Apr 8 18:05:06 localhost charon: 16[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Apr 8 18:05:06 localhost charon: 16[KNL] firstly created, spd for G1/1 found sw_if_index is 1
Apr 8 18:05:07 localhost charon: 16[IKE] CHILD_SA home{1} established with SPIs c079e4f7_i c8e6f92e_o and TS 192.168.0.2/32 === 10.1.0.0/16
Apr 8 18:05:07 localhost charon: 16[IKE] peer supports MOBIKE
此時(shí)如果你查看vpp的配置應(yīng)該可以看到ipsec相關(guān)的內(nèi)容
[root@localhost home]# vppctl show ipsec all
[0] sa 1 (0x1) spi 4158945728 (0xf7e479c0) protocol:esp flags:[tunnel ]
[1] sa 2 (0x2) spi 788129480 (0x2ef9e6c8) protocol:esp flags:[tunnel ]
spd 1
ip4-outbound:
[1] priority 2147483647 action bypass type ip4-outbound protocol IPSEC_AH
local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
remote addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
packets 0 bytes 0
[3] priority 2147483647 action bypass type ip4-outbound protocol IPSEC_ESP
local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
remote addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
packets 0 bytes 0
[5] priority 2147483647 action bypass type ip4-outbound protocol UDP
local addr range 0.0.0.0 - 255.255.255.255 port range 500 - 500
remote addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
packets 0 bytes 0
[7] priority 2147483647 action bypass type ip4-outbound protocol UDP
local addr range 0.0.0.0 - 255.255.255.255 port range 4500 - 4500
remote addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
packets 0 bytes 0
[10] priority 2147480764 action protect type ip4-outbound protocol any sa 2
local addr range 192.168.0.2 - 192.168.0.2 port range 0 - 65535
remote addr range 10.1.0.0 - 10.1.255.255 port range 0 - 65535
packets 0 bytes 0
ip6-outbound:
ip4-inbound-protect:
[8] priority 2147480764 action protect type ip4-inbound-protect protocol any sa 1
local addr range 192.168.0.2 - 192.168.0.2 port range 0 - 65535
remote addr range 10.1.0.0 - 10.1.255.255 port range 0 - 65535
packets 0 bytes 0
[9] priority 2147480764 action protect type ip4-inbound-protect protocol any sa 1
local addr range 192.168.0.2 - 192.168.0.2 port range 0 - 65535
remote addr range 10.1.0.0 - 10.1.255.255 port range 0 - 65535
packets 0 bytes 0
ip6-inbound-protect:
ip4-inbound-bypass:
[0] priority 2147483647 action bypass type ip4-inbound-bypass protocol IPSEC_AH
local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
remote addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
packets 0 bytes 0
[2] priority 2147483647 action bypass type ip4-inbound-bypass protocol IPSEC_ESP
local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
remote addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
packets 0 bytes 0
[4] priority 2147483647 action bypass type ip4-inbound-bypass protocol UDP
local addr range 0.0.0.0 - 255.255.255.255 port range 500 - 500
remote addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
packets 0 bytes 0
[6] priority 2147483647 action bypass type ip4-inbound-bypass protocol UDP
local addr range 0.0.0.0 - 255.255.255.255 port range 4500 - 4500
remote addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
packets 0 bytes 0
ip6-inbound-bypass:
SPD Bindings:
1 -> G1/1
[root@localhost home]# vppctl show ipsec sa detail
[0] sa 1 (0x1) spi 4158945728 (0xf7e479c0) protocol:esp flags:[tunnel ]
locks 3
salt 0x0
thread-indices [encrypt:-1 decrypt:-1]
seq 0 seq-hi 0
last-seq 0 last-seq-hi 0 window 0000000000000000000000000000000000000000000000000000000000000000
crypto alg aes-cbc-128 key [redacted]
integrity alg sha-256-128 key [redacted]
packets 0 bytes 0
table-ID 0 tunnel src 192.168.0.1 dst 192.168.0.2
resovle via fib-entry: 10
stacked on:
[@3]: dpo-load-balance: [proto:ip4 index:12 buckets:1 uRPF:13 to:[3:1773]]
[0] [@2]: dpo-receive: 192.168.0.2 on G1/1
[1] sa 2 (0x2) spi 788129480 (0x2ef9e6c8) protocol:esp flags:[tunnel ]
locks 2
salt 0x0
thread-indices [encrypt:-1 decrypt:-1]
seq 0 seq-hi 0
last-seq 0 last-seq-hi 0 window 0000000000000000000000000000000000000000000000000000000000000000
crypto alg aes-cbc-128 key [redacted]
integrity alg sha-256-128 key [redacted]
packets 0 bytes 0
table-ID 0 tunnel src 192.168.0.2 dst 192.168.0.1
resovle via fib-entry: 15
stacked on:
[@3]: dpo-load-balance: [proto:ip4 index:17 buckets:1 uRPF:18 to:[3:1884]]
[0] [@5]: ipv4 via 192.168.0.1 G1/1: mtu:9000 525400023faf5254008ce41c0800
查看vpp的fib表佛嬉,也動(dòng)態(tài)添加了對(duì)應(yīng)的路由進(jìn)去,例如在Roadwarrior場景中闸天,客戶端carol中自動(dòng)添加的10.1.0.0/16的路由暖呕,通過192.168.0.1 G1/1出去
[root@localhost home]# vppctl show ip fib
ipv4-VRF:0, fib_index:0, flow hash:[src dst sport dport proto ] epoch:0 flags:none locks:[adjacency:1, default-route:1, nat-hi:2, ]
0.0.0.0/0
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:1 buckets:1 uRPF:0 to:[0:0]]
[0] [@0]: dpo-drop ip4
0.0.0.0/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:2 buckets:1 uRPF:1 to:[0:0]]
[0] [@0]: dpo-drop ip4
10.1.0.0/16
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:18 buckets:1 uRPF:20 to:[0:0]]
[0] [@5]: ipv4 via 192.168.0.1 G1/1: mtu:9000 525400023faf5254008ce41c0800
10.2.0.0/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:14 buckets:1 uRPF:15 to:[0:0]]
[0] [@0]: dpo-drop ip4
10.2.0.0/16
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:13 buckets:1 uRPF:14 to:[0:0]]
[0] [@4]: ipv4-glean: G1/2: mtu:9000 ffffffffffff52540008713e0806
10.2.0.1/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:16 buckets:1 uRPF:19 to:[0:0]]
[0] [@2]: dpo-receive: 10.2.0.1 on G1/2
10.2.255.255/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:15 buckets:1 uRPF:17 to:[0:0]]
[0] [@0]: dpo-drop ip4
192.168.0.0/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:10 buckets:1 uRPF:9 to:[0:0]]
[0] [@0]: dpo-drop ip4
192.168.0.1/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:17 buckets:1 uRPF:18 to:[3:1884]]
[0] [@5]: ipv4 via 192.168.0.1 G1/1: mtu:9000 525400023faf5254008ce41c0800
192.168.0.0/24
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:9 buckets:1 uRPF:8 to:[1:108]]
[0] [@4]: ipv4-glean: G1/1: mtu:9000 ffffffffffff5254008ce41c0806
192.168.0.2/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:12 buckets:1 uRPF:13 to:[3:1773]]
[0] [@2]: dpo-receive: 192.168.0.2 on G1/1
192.168.0.255/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:11 buckets:1 uRPF:11 to:[0:0]]
[0] [@0]: dpo-drop ip4
224.0.0.0/4
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:4 buckets:1 uRPF:3 to:[0:0]]
[0] [@0]: dpo-drop ip4
240.0.0.0/4
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:3 buckets:1 uRPF:2 to:[0:0]]
[0] [@0]: dpo-drop ip4
255.255.255.255/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:5 buckets:1 uRPF:4 to:[0:0]]
[0] [@0]: dpo-drop ip4
如果是Roadwarrior場景我們?cè)谝苿?dòng)客戶端carol ping 10.1.0.1可以成功ping通
vpp# ping 10.1.0.1
116 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=7.7229 ms
116 bytes from 10.1.0.1: icmp_seq=2 ttl=64 time=1.2671 ms
116 bytes from 10.1.0.1: icmp_seq=3 ttl=64 time=4.2904 ms
116 bytes from 10.1.0.1: icmp_seq=4 ttl=64 time=8.3667 ms
116 bytes from 10.1.0.1: icmp_seq=5 ttl=64 time=1.3370 ms
此時(shí)如果在中間抓包的話,應(yīng)該看到的是ESP報(bào)文苞氮,我們查看vpp的節(jié)點(diǎn)統(tǒng)計(jì)湾揽,數(shù)據(jù)如下,說明IPSEC隧道建立成功了
vpp# show errors
Count Node Reason
5 ipsec4-output-feature IPSec policy protect
5 esp4-encrypt ESP pkts received
5 esp4-decrypt ESP pkts received
5 ipsec4-input-feature IPSEC pkts received
5 ipsec4-input-feature IPSEC pkts matched
5 ipsec4-output-feature IPSec policy bypass
5 esp4-encrypt ESP pkts received
同理笼吟,site-to-site的場景也可以通過這個(gè)方法來進(jìn)行驗(yàn)證库物。更多的場景應(yīng)用可以通過上面說的官方測試?yán)木W(wǎng)站來進(jìn)行搭建
使用DPDK加解密套件
上面的VPP startup.conf配置文件使用了openssl的加解密套件,但是如果想要更高的處理性能的話贷帮,需要使用DPDK的加解密套件戚揭。添加方式是將上面的startup.conf文件dpdk部分修改為下面的配置添加dpdk加密虛擬設(shè)備vdev crypto_aesni_mb
dpdk
{
log-level debug
huge-dir /dev/hugepages
vdev crypto_aesni_mb
dev 0000:00:06.0 { name G1/1 }
dev 0000:00:07.0 { name G1/2 }
}
添加完成之后,可以使用下面的命令查看
show dpdk crypto devices
show dpdk crypto
show ipsec backends
查看DPDK解加密設(shè)備是否加載
vpp# show dpdk crypto devices
crypto_aesni_mb crypto_aesni_mb up
numa_node 0, max_queues 8
SYMMETRIC_CRYPTO, SYM_OPERATION_CHAINING, CPU_AVX2, CPU_AESNI, OOP_LB_IN_LB_OUT
Cipher: aes-cbc-128, aes-cbc-192, aes-cbc-256, aes-ctr-128, aes-ctr-192, aes-ctr-256, aes-gcm-128, aes-gcm-192, aes-gcm-256
Auth: md5-96, sha1-96, sha-256-96, sha-256-128, sha-384-192, sha-512-256
enqueue 0 dequeue 0 enqueue_err 0 dequeue_err 0
free_resources 1 :
thr_id -1 qp 7 enc_inflight 0, dec_inflights 0
used_resources 7 :
thr_id 1 qp 0 enc_inflight 0, dec_inflights 0
thr_id 2 qp 1 enc_inflight 0, dec_inflights 0
thr_id 3 qp 2 enc_inflight 0, dec_inflights 0
thr_id 4 qp 3 enc_inflight 0, dec_inflights 0
thr_id 5 qp 4 enc_inflight 0, dec_inflights 0
thr_id 6 qp 5 enc_inflight 0, dec_inflights 0
thr_id 7 qp 6 enc_inflight 0, dec_inflights 0
show dpdk crypto placement查看dpdk加解密設(shè)備綁定的線程撵枢,此處需要注意一點(diǎn)民晒,如果VPP采用多線程工作模式的話,dpdk的加密設(shè)備是不會(huì)綁定在vpp_main主線程的锄禽,而且加解密處理入口節(jié)點(diǎn)dpdk-crypto-input也只綁定在了工作線程潜必。作為正常網(wǎng)關(guān)轉(zhuǎn)發(fā)是可以工作的,因?yàn)檫M(jìn)來的ipsec報(bào)文都會(huì)走到dpdk-crypto-input節(jié)點(diǎn)處理沃但,在工作線程處理磁滚,包含dpdk的解加密資源。
但是如果是類似于上面的操作宵晚,通過網(wǎng)關(guān)去直接ping對(duì)端的話恨旱,是無法通的,有如下報(bào)錯(cuò)
dpdk-esp4-encrypt Cipher/Auth not supported
查看/var/log/messages顯示以下的log
dpdk_esp_encrypt_inline:247: unsupported SA by thread index 0
猜測可能是ping操作類似于協(xié)議和控制報(bào)文處理坝疼,在vpp_main主線程處理唁影,vpp_main是沒有分配dpdk的加解密資源的饺蔑,所以ESP報(bào)文處理時(shí)发皿,會(huì)報(bào)錯(cuò)主線程查找不到SA惶室。猜測這是官方的IPSEC的一個(gè)BUG夹界,沒有考慮到此類場景。單線程工作模式不受影響卵贱。如果想要解決該問題编振,可以嘗試修改代碼瓢阴,dpdk_ipsec_process該函數(shù)中加密算法注冊(cè)時(shí)累贤,不進(jìn)行skip_master操作祷嘶,但是我沒有嘗試過。
vpp# show dpdk crypto placement
Thread 1 (vpp_wk_0):
crypto_aesni_mb dev-id 0 queue-pair 0
Thread 2 (vpp_wk_1):
crypto_aesni_mb dev-id 0 queue-pair 1
Thread 3 (vpp_wk_2):
crypto_aesni_mb dev-id 0 queue-pair 2
Thread 4 (vpp_wk_3):
crypto_aesni_mb dev-id 0 queue-pair 3
Thread 5 (vpp_wk_4):
crypto_aesni_mb dev-id 0 queue-pair 4
Thread 6 (vpp_wk_5):
crypto_aesni_mb dev-id 0 queue-pair 5
Thread 7 (vpp_wk_6):
crypto_aesni_mb dev-id 0 queue-pair 6
查看ipsec加密后端是否變成dpdk backend
vpp# show ipsec backends
IPsec AH backends available:
Name Index Active
crypto engine backend 0 yes
IPsec ESP backends available:
Name Index Active
crypto engine backend 0 no
dpdk backend 1 yes
